The Knowledge Safety Fee (DPC) has launched a proper inquiry into TikTok Know-how Restricted, scrutinizing the corporate’s practices concerning the switch and storage of European Financial Space (EEA) customers’ private information to servers in China.
This growth stems from discrepancies uncovered in a previous investigation concluded on April 30, 2025, the place TikTok asserted that EEA person information had been completely accessed remotely from China with none bodily storage on native servers.
Background on the Inquiry
Nonetheless, TikTok later disclosed in April 2025 that it had recognized a difficulty in February of the identical yr, revealing that restricted EEA person information had certainly been saved on Chinese language servers, contradicting its earlier submissions.
This revelation prompted the DPC to precise profound concern over the submission of inaccurate info, highlighting potential breaches of accountability and transparency below the Basic Knowledge Safety Regulation (GDPR).
In a press launch accompanying the earlier choice, the DPC emphasised its critical method to those developments and indicated consultations with peer EU supervisory authorities to find out additional regulatory actions.
The brand new inquiry, initiated below part 110 of the Knowledge Safety Act 2018 by Commissioners Dr. Des Hogan and Mr. Dale Sunderland, was notified to TikTok earlier this week.
It operates inside the GDPR’s One-Cease-Store mechanism, making certain coordinated oversight throughout EU regulators, and goals to evaluate TikTok’s compliance with key GDPR provisions within the context of those worldwide information transfers.
Scope of the Investigation
On the coronary heart of the inquiry is an examination of whether or not TikTok has adhered to its obligations below Chapter V of the GDPR, which governs transfers of private information to 3rd international locations exterior the EEA.
Such transfers are permissible provided that they preserve an primarily equal degree of safety to that afforded inside the EU, stopping any undermining of knowledge topics’ rights.
The DPC will particularly probe compliance with Article 5(2), which mandates accountability by requiring information controllers to display adherence to GDPR ideas; Article 13(1)(f), which calls for clear info to customers about transfers to 3rd international locations; Article 31, imposing an obligation to cooperate absolutely with supervisory authorities; and the broader necessities of Chapter V.
Notably, China lacks an Adequacy Choice from the European Fee below Article 45(1) GDPR, in contrast to jurisdictions comparable to Japan, the Republic of Korea, or the UK, the place information transfers are streamlined because of acknowledged equal protections.
Within the absence of such a call, TikTok, as the info controller, should depend on different safeguards like Normal Contractual Clauses (SCCs) or Binding Company Guidelines (BCRs) to legitimize transfers.
In line with the Report, these mechanisms obligate the controller to confirm and assure that the recipient nation’s authorized framework and practices don’t compromise information safety requirements, together with via threat assessments and supplementary measures as outlined in post-Schrems II jurisprudence.
The inquiry underscores the essential significance of those safeguards, as distant entry or inadvertent storage in non-adequate jurisdictions might expose EEA customers to dangers comparable to unauthorized surveillance or hindered enforcement of rights like entry and erasure.
By delving into these technical points, the DPC seeks to implement strong information governance, doubtlessly setting precedents for a way international platforms deal with cross-border information flows.
This case not solely highlights TikTok’s accountability lapses but additionally serves as a fascinating reminder of the GDPR’s function in empowering customers amid the digital age’s complexities, encouraging firms to prioritize transparency and compliance for a safer on-line ecosystem.
Keep Up to date on Each day Cybersecurity Information. Comply with us on Google Information, LinkedIn, and X.
